The compliance processes that many United States bulk electric system (utility) owners and operators use to comply with North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) standards are not sustainable.
It is possible, however, to create a sustainable NERC CIP program that goes beyond assuring compliance to protect critical infrastructure assets from attacks. Utilities should focus on creating a continuous cycle of activities—or a life-cycle of sustainability—to help overcome challenges.
Utilities invest a great deal of time and energy in interpreting NERC CIP standards and defining the policies, processes, roles and responsibilities, and technical controls that the utilities must implement to assure compliance. In this context, some of the greatest challenges include:
These steps can lead utilities to a point at which they can maintain compliance and experience business benefits beyond avoiding expensive penalties:
Understand where you stand today.
Establish a sustainability strategy and governance framework.
Establish an actionable plan to build the foundational components of a sustainable program.
Begin industrializing key NERC CIP processes.
Utilities can reach a point at which they not only maintain compliance efficiently but also experienced business benefits beyond avoiding expensive penalties and negative publicity. Benefits include:
Attackers routinely breach infrastructures and systems that are 100 percent compliant with regulatory standards. Protecting power grids requires more than regulatory compliance. An advanced approach to operations that spans the entire business is critical. It must take into account the processes, procedures, stakeholders (and their responsibilities), tools and technologies that underpin the NERC CIP program. It also requires the collaboration of physical security and cybersecurity stakeholders and making security intrinsic to every area of utility operations.